As another test of the high-frequency transmission theory, they could try a "bat detector". E.g. http://www.batbox.com/batbox.asp or http://www.batsound.com/?p=3 These are devices that convert ultrasound (frequencies higher than audible) into audible sound, which can then be heard and/or recorded. That would in principle let them know how often this type of communication is going on.

I have a very hard time believing there are exploits which function by hijacking the microphone and speaker of a computer outside of hearing range. While it may be technically possible, I think practical, real world concerns would preclude any usable data transmission at the kind of ultrasonic frequencies describes. Most systems don't have any kind of audio fidelity in those ranges, let alone what you would need for audio modems.

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

Is it not common practice for such malware not to fight someone disabling it on a single machine (voluntarily or not)?Reactivating hardware components automatically is a sure way to get yourself detected.

Once the world knows that such a malware exists, the chance of it being disabled everywhere are much higher.

Too much emphasis on the horror-rumour aspect, too little on actual nuts-and-bolts exploit mechanisms, too little (effectively nothing) on the web about this except only from the cited source for this to have been under examination for years already.

He said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection.

I assume that the computers he is using are laptops and that when he disconnects the power cord, it's on battery. Otherwise, if a powered-off machine is still communicating... we might be seeing SkyNet or something.

He said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection.

I assume that the computers he is using are laptops and that when he disconnects the power cord, it's on battery. Otherwise, if a powered-off machine is still communicating... we might be seeing SkyNet or something.

So a virus is using the internal speakers and microphones in laptops to network itself. How come I can barely make intelligible recordings with my built in microphone when I try, yet it is able to do high frequency acoustical coupled networking?

What sort of error correction algorithm is able to filter out all the background noise and isolate the signal from a microphone? That might have more useful and financially lucrative applications than spying on some hacker...

Is it not common practice for such malware not to fight someone disabling it on a single machine (voluntarily or not)?Reactivating hardware components automatically is a sure way to get yourself detected.

Once the world knows that such a malware exists, the chance of it being disabled everywhere are much higher.

So a virus is using the internal speakers and microphones in laptops to network itself. How come I can barely make intelligible recordings with my built in microphone when I try, yet it is able to do high frequency acoustical coupled networking?

What sort of error correction algorithm is able to filter out all the background noise and isolate the signal from a microphone? That might have more useful and financially lucrative applications than spying on some hacker...

Picking up a narrow-band carrier in a noisy channel is actually quite easy... Simple BPSK (Binary-Phase-Shift-Keyed) is easy to detect and decode. I'd be interested to know what bit-rate is achievable, however!

There are some simple tests that could confirm or deny several of these theories. For example, connect an oscilloscope to the speaker pins and check if there is a high-frequency signal there. Find a PC with a BIOS flash ROM that is either socketed or can easily be desoldered, wait for it to exhibit infected behavior, pull out the chip, image it and compare the image to the image installed by the firmware updater.

It is odd, to say the least, that a security consultant wouldn't have tried things like this if he thinks his lab has been infected for three years.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."

This is a bit unclear. How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected. I'm not sure how different is it than inserting an infected floppy disk back in the day. Air gapped or not, once you put some other media into it all bets are off.

So a virus is using the internal speakers and microphones in laptops to network itself. How come I can barely make intelligible recordings with my built in microphone when I try, yet it is able to do high frequency acoustical coupled networking?

What sort of error correction algorithm is able to filter out all the background noise and isolate the signal from a microphone? That might have more useful and financially lucrative applications than spying on some hacker...

Well, given infinite time, your high SNR can become irrelevant. However, that doesn't even begin to explain how an uninfected computer starts listening for and decoding microphone data, without a substantial DSP program.

How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected.

Yeah, I'm not sure why that didn't occur to him earlier. If a machine is disconnected from everything else and you use one of your USB drives to do a fresh install... Gee, where do you think the viruses came from?

Picking up a narrow-band carrier in a noisy channel is actually quite easy... Simple BPSK (Binary-Phase-Shift-Keyed) is easy to detect and decode. I'd be interested to know what the bit-rate achievable is, however!

Yes, but what frequency range/channel is both: A) within the sensitivity range of the microphoneb) able to be reproduced by the speakersc) not contaminated by other noise in that band from the room or inside the computer itself

Well, given infinite time, your high SNR can become irrelevant. However, that doesn't even begin to explain how an uninfected computer starts listening for and decoding microphone data, without a substantial DSP program.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."

This is a bit unclear. How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected. I'm not sure how different is it than inserting an infected floppy disk back in the day. Air gapped or not, once you put some other media into it all bets are off.

Theory: Because he downloaded a Windows ISO off bittorrent that was already infected?

Regardless of the problem at hand (namely identifying this arcane and elusive malware), I think credit should be given for the rigorous troubleshooting that has been done here. This is the kind of diligence that is all too rare in the world, and I wish more people would appreciate this skill.

If this is a Halloween "scary story" attempt by Ars and this security guy, it's pretty weak, considering the prior reports this guy has been making. Would be like setting up an April Fool's joke for weeks in advance. Sort of defeats the whole purpose to have a "run up" to the scary story / joke.

I don't believe it's a story-hoax / will give Ars the benefit of the doubt. That said the first thing that popped into my head was "someone in his lab is messing with him". OTOH, nothing surprises me anymore WRT to the things a determined hacker can do. At some point we're all likely to be affected by / be the victim of some "Hacker Hiroshima" where some uber-virus like this infects millions of machines, mobile devices, and peripherals, embedding itself quietly before doing all its damage, and then later (after the shit hits the fan) people realizing you can't get rid of it by just wiping your HD clean / re-installing the OS. Would effectively brick anything that is infected.

All the more reason not to buy a computer with a microphone port. Darth Pro FTW! ;-)

Regardless of the problem at hand (namely identifying this arcane and elusive malware), I think credit should be given for the rigorous troubleshooting that has been done here. This is the kind of diligence that is all too rare in the world, and I wish more people would appreciate this skill.

Uh... rigorous?

You serious?

If you suspect firmware level malware, the first thing you should do in my opinion would be to contact the vendor(s) involved with your concerns and send them the hardware/firmware so they can verify whether or not it has been tampered with. Or if you have the skills, extract the firmware yourself, and compare to a known good version. Or if you're actually skilled, disassemble the firmware and examine the code.

Picking up a narrow-band carrier in a noisy channel is actually quite easy... Simple BPSK (Binary-Phase-Shift-Keyed) is easy to detect and decode. I'd be interested to know what the bit-rate achievable is, however!

Yes, but what frequency range/channel is both: A) within the sensitivity range of the microphoneb) able to be reproduced by the speakersc) not contaminated by other noise in that band from the room or inside the computer itself